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DETAILED ACTION 



This final action is in response to the amendment filed on 01/21/2008. Claims 1 & 3-41 
are pending and have been considered as follows. 

Claim Objections 

1. Claims 1, 22, 39, & 41 are objected to because of the following informalities: 
Claim 1 lines 1 & 3 recite "for" which should be ". . .configured to. . ."; 

- Claim 22 line 1 recites "for" which should be ". . .of. . ."; 
Claim 22 line 9 recites "a" which should be omitted; 

- Claim 39 line 2 recites "computer readable media for controlling" which should be 
". . .computer readable storage media configured to control. . ."; 

Claim 41 lines 1, 3, & 5 recite "for" which should be "...configured to... "; 

2. Claim 3 is objected to under 37 CFR 1 .75(c), as being of improper dependent form for 
failing to further limit the subject matter of a previous claim. Applicant is required to cancel the 
claim(s), or amend the claim(s) to place the claim(s) in proper dependent form, or rewrite the 
claim(s) in independent form. Claim 3 has been amended to depend from Claim 6, however, 3 
cannot come after 6 and it appears that Claim 3 was meant to have been renumbered. 



Application/Control Number: 10/765,719 
Art Unit: 2136 



Page 3 



Claim Rejections - 35 USC §101 

3. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claim 39 is rejected under 35 U.S.C. 101 because the claimed invention is directed to 
non- statutory subject matter. 

Claim 39 recites "a computer program stored in computer readable media for controlling 
a computing platform to operate in accordance with claim 22" where "computer readable 
media" appears to include non-statutory subject matter. 
- The examiner notes that the suggested amendment to Claim 39 as recited in the above 
Claim Objections would overcome the 35 U.S.C. 101 rejection. 



Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1(2) of such treaty in the English language. 

5. Claims 1, 4, 5, 7, 22, 25-27, & 39-41 are rejected under 35 U.S.C. 102(e) as being 



anticipated by O'Brien et al. (US-6658571-B1). 
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Claim 1 : 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process comprising, 

- "a system call monitor for detecting predetermined system calls and data manipulated by 
the process so as to modify identifiable characteristics of the data" (i.e. "Security 
manager. . .a set of rules that are being enforced by each security module 105, the ability 
to load a new set of rules for a particular security module 105, and the ability to log and 
view activity within security framework 101") [column 4 lines 5-13]; 
"means for applying a data handling policy upon detecting: a predetermined data type 
based on a tag or label associated with the data manipulated by the process or based on 
the format of the data manipulated by the process" (i.e. "security framework 101 can be 
used to implement more sophisticated label-based policies. . .creates and maintains a list 
of labels, each label corresponding to a computing resource 106. Because of the 
flexibility of security framework 101, these label-based policies could be quickly 
changed, if needed, to adapt to new operating requirements") [column 4 lines 40-48]; 
"a predetermined system call which involves the writing of data outside the process" (i.e. 
"security framework 101 may be used to wrap a web browser in order to protect user 113 
from downloaded malicious software") [column 4 lines 29-31]. 
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Claim 4: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 1 above, further comprising, 

- "predetermined system calls are those involving the transmission of data externally of the 
computing platform" (i.e. "security framework 101 may be used to wrap a web browser 
in order to protect user 113 from downloaded malicious software") [column 4 lines 29- 
31]. 

Claim 5: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 1 above, further comprising, 

"means for applying a data handling policy comprises a tag determiner for determining 
any security tags associated with the data manipulated by the process or based on the 
format of the data manipulated by the process handled by the system call" (i.e. "security 
framework 101 can be used to implement more sophisticated label-based 
policies. . .creates and maintains a list of labels, each label corresponding to a computing 
resource 106. Because of the flexibility of security framework 101, these label-based 
policies could be quickly changed, if needed, to adapt to new operating requirements") 
[column 4 lines 40-48]; 

"means for applying a data handling policy comprises a policy interpreter for determining 
a policy according to any such tags and for applying the policy" (i.e. "security framework 
101 can be used to implement more sophisticated label-based policies. . .creates and 
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maintains a list of labels, each label corresponding to a computing resource 106. Because 
of the flexibility of security framework 101, these label-based policies could be quickly 
changed, if needed, to adapt to new operating requirements") [column 4 lines 40-48]. 
Claim 7: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 5 above, further comprising, 

- "the policy interpreter comprises a policy database including tag policies" (i.e. "security 
framework 101 creates and maintains a list of labels, each label corresponding to a 
computing resource 106") [column 4 lines 43-45]; 

- "the policy interpreter comprises a policy reconciler for generating a composite policy 
from the tag policies relevant to the data" (i.e. "Because of the flexibility of security 
framework 101, these label-based policies could be quickly changed, if needed, to adapt 
to new operating requirements") [column 4 lines 45-48]. 

Claim 22: 

O'Brien et al. disclose a data handling method for a computer platform using an operating system 

executing a process comprising, 

"detecting both a predetermined data type based on a tag or label associated with the data 
or based on the format of the data" (i.e. "Additionally, security framework 101 can 
provide audit and monitoring functionality to record information regarding the extent to 
which each application 107 accesses computing resources 106") [column 4 lines 37-40]; 
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"predetermined system calls involving the writing of data outside the process" (i.e. 
"security framework 101 may be used to wrap a web browser in order to protect user 113 
from downloaded malicious software") [column 4 lines 29-31]; 

- "applying a data handling policy to a system call upon both said predetermined data type 
and said predetermined system call being detected" (i.e. "security framework 101 can be 
used to implement more sophisticated label-based policies. . .creates and maintains a list 
of labels, each label corresponding to a computing resource 106. Because of the 
flexibility of security framework 101, these label-based policies could be quickly 
changed, if needed, to adapt to new operating requirements") [column 4 lines 40-48]; 

- "the data handling policy being applied for all system calls involving the writing of data 
outside the process" (i.e. "security framework 101 may be used to wrap a web browser in 
order to protect user 1 13 from downloaded malicious software") [column 4 lines 29-31]. 

Claim 25: 

O'Brien et al. disclose a data handling method for a computer platform using an operating system 

executing a process, as in Claim 22 above, further comprising, 

"predetermined system calls are those involving the transmission of data externally of the 
computing platform" (i.e. "security framework 101 may be used to wrap a web browser 
in order to protect user 1 13 from downloaded malicious software") [column 4 lines 29- 
31]. 
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Claim 26: 

O'Brien et al. disclose a data handling method for a computer platform using an operating system 
executing a process, as in Claim 22 above, further comprising, 

- "determining any security tags associated with data handled by the system call" (i.e. 
"security framework 101 can be used to implement more sophisticated label-based 
policies. . .creates and maintains a list of labels, each label corresponding to a computing 
resource 106. Because of the flexibility of security framework 101, these label-based 
policies could be quickly changed, if needed, to adapt to new operating requirements") 
[column 4 lines 40-48]; 

- "determining a policy according to any such tags and applying the policy" (i.e. "security 
framework 101 can be used to implement more sophisticated label-based 

policies. . .creates and maintains a list of labels, each label corresponding to a computing 
resource 106. Because of the flexibility of security framework 101, these label-based 
policies could be quickly changed, if needed, to adapt to new operating requirements") 
[column 4 lines 40-48]. 
Claim 27: 

O'Brien et al. disclose a data handling method for a computer platform using an operating system 

executing a process, as in Claim 26 above, further comprising, 

"a composite policy is generated from the tag policies relevant to the data" (i.e. "Because 
of the flexibility of security framework 101, these label-based policies could be quickly 
changed, if needed, to adapt to new operating requirements") [column 4 lines 45-48]. 



Application/Control Number: 10/765,719 Page 9 

Art Unit: 2136 

Claim 39: 

O'Brien et al. disclose a computer program stored in computer readable media comprising, 
"for controlling a computing platform to operate in accordance with claim 22" (i.e. 
"Security modules 105 are kernel- loadable modules that make and enforce application- 
specific or resource-specific policy decisions for applications 107") [column 3 lines 39- 
41]. 

Claim 40: 

O'Brien et al. disclose a computer platform comprising, 

"to operate according to claim 22" (i.e. "Computing system 100 represents any 
processing system including, but not limited to, a personal computer, a workstation and a 
main frame computer") [column 3 lines 13-15]. 

Claim 41: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process comprising, 

- "a system call monitor for detecting predetermined system calls and data handled by the 
process" (i.e. "Security manager. . .a set of rules that are being enforced by each security 
module 105, the ability to load a new set of rules for a particular security module 105, 
and the ability to log and view activity within security framework 101") [column 4 lines 
5-13]; 

"a policy applicator for applying a data handling policy to the system call upon both a 
predetermined data type based on a tag or label associated with the data handled by the 
process or based on the format of the data handled by the process" (i.e. "security 
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framework 101 can be used to implement more sophisticated label-based 
policies. . .creates and maintains a list of labels, each label corresponding to a computing 
resource 106. Because of the flexibility of security framework 101, these label-based 
policies could be quickly changed, if needed, to adapt to new operating requirements") 
[column 4 lines 40-48]; 
- "a predetermined system call which involves the writing of data outside the process" (i.e. 
"security framework 101 may be used to wrap a web browser in order to protect user 113 
from downloaded malicious software") [column 4 lines 29-31]. 

Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 3, 6, 23, 24, & 28 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
O'Brien et al. (US-6658571-B1) in view of Choo (US-6981 140-B1). 

Claim 6: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 5 above, but do not disclose, 

"the policy interpreter is configured to use the intended destination of the data as a factor 
in determining the policy for the data," although Choo does suggest policy 
enforcement/access control based on where data packets come from, as recited below; 
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however, Choo does disclose, 

- "For incoming data packets received from the remote host across a LAN/WAN each 
packet received from the operating system is inspected to see if internet protocol security 
decryption is necessary by examining a security descriptor data comprising a part of a 
security association data logically associated with the data packet" [column 12 lines 54- 
59]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the policy interpreter is configured to use the intended 
destination of the data as a factor in determining the policy for the data," in the invention as 
disclosed by O'Brien et al. for the purposes of enforcing policies/access control. 
Claim 23: 

O'Brien et al. disclose a data handling apparatus and method for a computer platform using an 
operating system executing a process, as in Claim 22 above respectively, but do not disclose, 

"the policy is to require the encryption of at least some of the data," although Choo does 

suggest encryption of data, as recited below; 
however, Choo does disclose, 

"the security database associated with key database 602 is consulted to determine 

whether the data packet received from user process 600 is to be encrypted prior to 

transmission across the network" [column 13 lines 14-17]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the policy is to require the encryption of at least some of the 
data," in the invention as disclosed by O'Brien et al. for the purposes of securing the data. 
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Claims 3 & 24: 

O'Brien et al. disclose a data handling apparatus and method for a computer platform using an 
operating system executing a process, as in Claims 1 and 23 above respectively, but do not 
disclose, 

"the policy interpreter in its application of the policy automatically encrypts the at least 

some of the data," although Choo does suggest encryption of data, as recited below; 
however, Choo does disclose, 

- "the security database associated with key database 602 is consulted to determine 

whether the data packet received from user process 600 is to be encrypted prior to 

transmission across the network" [column 13 lines 14-17]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "a policy interpreter in its application of the policy 
automatically encrypts the at least some of the data," in the invention as disclosed by O'Brien et 
al for the purposes of securing the data. 
Claim 28: 

O'Brien et al. disclose a data handling method for a computer platform using an operating system 

executing a process, as in Claim 26 above, but do not disclose, 

"the intended destination of the data is used as a factor in determining the policy for the 
data," although Choo does suggest policy enforcement/access control based on where 
data packets come from, as recited below; 
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however, Choo does disclose, 

- "For incoming data packets received from the remote host across a LAN/WAN each 
packet received from the operating system is inspected to see if internet protocol security 
decryption is necessary by examining a security descriptor data comprising a part of a 
security association data logically associated with the data packet" [column 12 lines 54- 
59]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the intended destination of the data is used as a factor in 
determining the policy for the data," in the invention as disclosed by O'Brien et al. for the 
purposes of enforcing policies/access control. 

8. Claims 8-12, 17-21, 29, 31-33, 36, & 37 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over O'Brien et al. (US-6658571-B1) in view of Yoshioka et al. (US-5909688-A). 
Claims 8 & 29: 

O'Brien et al. disclose a data handling apparatus and method for a computer platform using an 
operating system executing a process, as in Claims 1 and 22 above respectively, but do not 
disclose, 

- "the computing platform comprises a data management unit," although Yoshioka et al. do 
suggest a data management unit, as recited below; 

"the data management unit arranged to associate data management information with data 
input to a process," although Yoshioka et al. do suggest entity information corresponding 
with each record, as recited below; 
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"(the data management unit arranged to) regulate operating system operations involving 
the data according to the data management information," although Yoshioka et al. do 
suggest controlling read/write of data, as recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a data management unit]; 

- "in a record of department in an entity management table corresponding to the above- 
mentioned organization template there are stored entity information corresponding to that 
record, an XID value of, for example, a technical department, a pointer to a section 
record which is a low-rank record, a pointer to a record for another department which is 
in the same rank as that department, and a pointer to that department which is the entity 
information item" [column 6 lines 9-17]; 

- " The data management unit 24 controls reading or writing of data between the database 
25 and the memory 31" [column 12 lines 65-66]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the computing platform comprises a data management unit" 
and "the data management unit arranged to associate data management information with data 
input to a process" and "(the data management unit arranged to) regulate operating system 
operations involving the data according to the data management information," in the invention as 
disclosed by O'Brien et al. for the purposes of associating and tracking data processed in an 
operating system. 
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Claim 9: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 8 above, but do not disclose, 

- "the computing platform further comprises a memory space," although Yoshioka et al. do 
suggest a memory, as recited below; 

- "the computing platform is arranged to load the process into the memory space," 
although Yoshioka et al. do suggest a memory connected to other components for data 
processes, as recited below; 

"the computing platform is arranged to run the process under the control of the data 

management unit," although Yoshioka ct al. do suggest a data management unit, as 

recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a memory arranged with other components to load and handle data 

processes and a data management unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the computing platform further comprises a memory space" 
and "the computing platform is arranged to load the process into the memory space" and "the 
computing platform is arranged to run the process under the control of the data management 
unit," in the invention as disclosed by O'Brien et al. for the purposes of loading a process into 
memory and handling the execution of that process according to a policy, as are common 
elements of an operating system's functionality when incorporated according to a system as 
shown in Fig 13 of Yoshioka et al . 
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Claim 10: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 8 above, but do not disclose, 

- "the data management information is associated with at least one data sub-unit as data is 
input to a process from a data unit comprising a plurality of sub-units," although 
Yoshioka et al. do suggest a data management unit connected to additional components, 
as recited below; 

however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a system with a data management unit and several sub-units defining 
aspects of policy, work-flow, etc interfaced with an interface unit, a database, and a 
memory]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management information is associated with at least 
one data sub-unit as data is input to a process from a data unit comprising a plurality of sub- 
units," in the invention as disclosed by O'Brien et al. since the data management unit would 
associate data according to the policies of the subunits as data input for the purposes of handling 
data processing. 
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Claim 11: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 8 above, but do not disclose, 

- "data management information is associated with each independently addressable data 
unit," although Yoshioka et al. do suggest a data management unit controlling the 
read/write of data involving memory, as recited below; 

however, Yoshioka et al. do disclose, 

- "The data management unit 24 controls reading or writing of data between the database 
25 and the memory 31" [column 12 lines 65-66]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "data management information is associated with each 
independently addressable data unit," in the invention as disclosed by O'Brien et al. since the 
data management unit would have some association or elements of data identification for the 
purposes of reading/writing data between a database and memory. 
Claim 12: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 8 above, but do not disclose, 

"the data management unit comprises part of an operating system kernel space," although 
Yoshioka et al. do suggest a data management unit, as recited below; 

however, Yoshioka et al. do disclose, 

- "The data management unit 24 controls reading or writing of data between the database 
25 and the memory 31" [column 12 lines 65-66]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management unit comprises part of an operating 
system kernel space," in the invention as disclosed by O'Brien et al. since reading/writing to 
memory and between a database is typically an operation reserved for kernel space privileges, 
for the purposes of resource access control within the operating system. 
Claim 17: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 8 above, but do not disclose, 

"the data management unit comprises a data filter to identify data management 
information associated with data that is to be read into the memory space," although 
Yoshioka et al. do suggest a data management unit reading/writing data between a 
database and memory, as recited below; 
however, Yoshioka et al. do disclose, 

"The data management unit 24 controls reading or writing of data between the database 
25 and the memory 31" [column 12 lines 65-66]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management unit comprises a data filter to identify 
data management information associated with data that is to be read into the memory space," in 
the invention as disclosed by O'Brien et al. since the data management unit would have to have 
some association or elements of data identification in order to read/write data between the 
database and memory, for the purposes of ensuring data integrity/consistency between what is in 
memory and what is written in the database. 
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Claim 18: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 8 above, but do not disclose, 

- "the data management unit further comprises a tag management module arranged to 

allow a user to specify data management information to be associated with data," 

although Yoshioka et al. do suggest a data management unit connected to an interface 

unit, as recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates an interface unit interfaced with the data management unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management unit further comprises a tag management 
module arranged to allow a user to specify data management information to be associated with 
data," in the invention as disclosed by O'Brien et al. for the purpose of allowing additional 
policies/control over the data management unit. 
Claim 19: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 8 above, but do not disclose, 

"the data management unit comprises a tag propagation module arranged to maintain an 
association with the data that has been read into the process and the data management 
information associated therewith," although Yoshioka et al. do suggest a data 
management unit connected with several additional components for data management, as 
recited below; 
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however, Yoshioka et al. do disclose, 

- [Fig 13 illustrates a data management unit interfaced with a database, memory, and 
several subunits including a policy unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management unit comprises a tag propagation module 
arranged to maintain an association with the data that has been read into the process and the data 
management information associated therewith," in the invention as disclosed by O'Brien et al. 
since the data management unit would have to have some association or elements of data 
identification in order to read/write data between the database and memory for the purposes of 
data integrity/consistency between data in memory and the data written in the database. 
Claim 20: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 19 above, but do not disclose, 

"the tag propagation module is arranged to maintain an association between an output of 
operations carried out within the process and the data management information 
associated with the data involved in the operations," although Yoshioka et al. do suggest 
a data management unit in association with a policy unit, as recited below; 

however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a data management unit interfaced with a database, memory, and 
several subunits including a policy unit]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the tag propagation module is arranged to maintain an 
association between an output of operations carried out within the process and the data 
management information associated with the data involved in the operations," in the invention as 
disclosed by O'Brien et al. since the data management unit would have to have some association 
or elements of data identification in order to read/write data between the database and memory 
for the purposes of data integrity/consistency between data in memory and the data written in the 
database, as well as, access control for the data. 
Claim 21: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 19 above, but do not disclose, 

- "the tag propagation module comprises state machine automatons arranged to maintain 
an association between an output of operations carried out within the process and the data 
management information associated with the data involved in the operations," although 
Yoshioka et al. do suggest a data management unit in association with a policy unit, as 
recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a data management unit interfaced with a database, memory, and 
several subunits including a policy unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the tag propagation module comprises state machine 
automatons arranged to maintain an association between an output of operations carried out 
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within the process and the data management information associated with the data involved in the 
operations," in the invention as disclosed by O'Brien et al. since the data management unit 
would have to have some association or elements of data identification in order to read/write data 
between the database and memory for the purposes of data integrity/consistency between data in 
memory and the data written in the database, as well as, access control for the data. 
Claim 31: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 
system executing a process, as in Claim 29 above, but do not disclose, 

"associating data management information with data as the data is read into a memory 

space," although Yoshioka et al. do suggest a data management unit in association with a 

policy unit and a memory, as recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a data management unit interfaced with a database, memory, and 

several subunits including a policy unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "associating data management information with data as the data 
is read into a memory spaces," in the invention as disclosed by O'Brien et al. since the data 
management unit would have to have some association or elements of data identification in order 
to read/write data between the database and memory for the purposes of data 
integrity/consistency in memory. 
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Claim 32: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 
system executing a process, as in Claim 29 above, but do not disclose, 

- "associating data management information with at least one data sub-unit as data is read 

into a memory space from a data unit comprising a plurality of data sub-units," although 

Yoshioka et al. do suggest a data management unit in association with a policy unit and a 

memory, as recited below; 
however, Yoshioka et al. do disclose, 

[Fig 13 illustrates a data management unit interfaced with a database, memory, and 

several subunits including a policy unit]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "associating data management information with at least one data 
sub-unit as data is read into a memory space from a data unit comprising a plurality of data sub- 
units," in the invention as disclosed by O'Brien et al. since the data management unit would have 
to have some association or elements of data identification in order to read/write data between 
the database and memory for the purposes of data integrity/consistency between data in memory 
and the data written in the database, as well as, access control for the data. 
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Claim 33: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 
system executing a process, as in Claim 29 above, but do not disclose, 

- "associating data management information with each independently addressable data unit 
that is read into the memory space," although Yoshioka et al. do suggest a data 
management unit in association with a memory, as recited below; 

however, Yoshioka et al. do disclose, 

- [Fig 13 illustrates a data management unit interfaced with a database, memory, and 
several subunits including a policy unit]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "associating data management information with each 
independently addressable data unit that is read into the memory space," in the invention as 
disclosed by O'Brien et al. since the data management unit would have to have some association 
or elements of data identification in order to read/write data between the database and memory. 
Claim 36: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 

system executing a process, as in Claim 29 above, but do not disclose, 

"the step (b) comprises sub-steps," although Yoshioka et al. do suggest a database in 
association with additional sub-components including a policy unit, as recited below; 
"identifying an operation involving the data," although Yoshioka et al. do suggest a 
database in association with additional sub-components including a policy unit, as recited 
below; 
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"if the operation involves the data and is carried out within the process, maintaining an 
association between an output of the operation and the data management information," 
although Yoshioka et al. do suggest a database in association with additional sub- 
components including a policy unit, as recited below; 

"if the operation involving the data includes a write operation to a location external to the 
process, selectively performing the operation dependent on the data management 
information," although Yoshioka et al. do suggest a database in association with 
additional sub-components including a policy unit, as recited below; 
however, Yoshioka et al. does disclose, 

- [Fig 14 illustrates several subunits that perform sub-steps and interact with a database]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the step (b) comprises sub-steps" and "identifying an operation 
involving the data" and "if the operation involves the data and is carried out within the process, 
maintaining an association between an output of the operation and the data management 
information" and "if the operation involving the data includes a write operation to a location 
external to the process, selectively performing the operation dependent on the data management 
information," in the invention as disclosed by O'Brien et al. since database read/write sessions 
typically involve multiple steps (i.e. sub-steps) and involve data operations. In addition, the data 
management unit would have some association or elements of data identification in order to 
read/write data between the database and memory for the purposes of maintaining data 
integrity/consistency between data in memory and data written in the database, as well as, for the 
access control of data processing operations by the policy unit. 
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Claim 37: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 
system executing a process, as in Claim 36 above, but do not disclose, 

- "the step (bl) comprises: analysing process instructions to identify operations involving 
the data," although Yoshioka et al. do suggest a database in association with additional 
sub-components including a policy unit, as recited below; 

"the step (bl) comprises: providing instructions relating to the data management 
information with the operations involving the data," although Yoshioka et al. do suggest 
a database in association with additional sub-components including a policy unit, as 
recited below; 
however, Yoshioka et al. does disclose, 

- "Fig 14 illustrates the state where the policy definition unit 26, the project definition unit 
27, the work flow control unit 28, the standard report unit 29, and the special report unit 
30 store generated data into the database 25 and retrieve the stored data from the database 
25" [column 13 lines 9-13]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the step (bl) comprises: analysing process instructions to 
identify operations involving the data" and "the step (bl) comprises: providing instructions 
relating to the data management information with the operations involving the data," in the 
invention as disclosed by O'Brien et al. since database sessions typically involve data operations. 
In addition, the data management unit would have some association or elements of data 
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identification in order to read/write data between the database and memory for the purposes of 

maintaining data integrity/consistency between data in memory and data written in the database, 

as well as, for the access control of data processing operations by the policy unit. 

9. Claims 13-16, 30, 34, 35, & 38 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over O'Brien et al. (US-6658571-B1) in view of Johnson et al. (US-5684948-A). 

Claim 13: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 12 above, but do not disclose, 

"the operating system kernel space comprises a tagging driver arranged to control loading 
of a supervisor code into the memory space with the process," although Johnson et al. do 
suggest executing code in the Supervisor domain, as recited below; 
however, Yoshioka et al. docs disclose, 

- "code executing out of any off-chip memory is defined to be in the simulated-Supervisor 
execution domain" [column 9 lines 1-3]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the operating system kernel space comprises a tagging driver 
arranged to control loading of a supervisor code into the memory space with the process," in the 
invention as disclosed by O'Brien et al. since it is common to have processes executed under 
varying credentials under kernel space, user space, memory space, supervisor space, etc. 
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Claim 14: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 
system executing a process, as in Claim 13 above, but do not disclose, 

- "the supervisor code controls the process at run time to administer the operating system 
data management unit," although Johnson et al. do suggest performing processing in the 
Supervisor domain, as recited below; 

however, Yoshioka et al. does disclose, 

- "The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the supervisor code controls the process at run time to 
administer the operating system data management unit," in the invention as disclosed by O'Brien 
et al. since the supervisor domain controls processes prior to and including through, run time. 
Claim 15: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 14 above, but do not disclose, 

"the supervisor code is arranged to analyse instructions of the process to identify 
operations involving the data," although Johnson et al. do suggest performing processing 
in the Supervisor domain, as recited below; 
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"the supervisor code is arranged to provide instructions relating to the data management 
information with the operations involving the data," although Johnson et al. do suggest 
performing processing in the Supervisor domain, as recited below; 
however, Yoshioka et al. does disclose, 

"The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the supervisor code is arranged to analyse instructions of the 
process to identify operations involving the data" and "the supervisor code is arranged to provide 
instructions relating to the data management information with the operations involving the data," 
in the invention as disclosed by O'Brien et al. since the supervisor domain controls processes 
prior to and including through, run time. 
Claim 16: 

O'Brien et al. disclose a data handling apparatus for a computer platform using an operating 

system executing a process, as in Claim 13 above, but do not disclose, 

"the memory space further comprises a data management information area under control 
of the supervisor code arranged to store the data management information," although 
Johnson et al. do suggest performing processing in the Supervisor domain, as recited 
below; 
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however, Yoshioka et al. does disclose, 

- "The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the memory space further comprises a data management 
information area under control of the supervisor code arranged to store the data management 
information," in the invention as disclosed by O'Brien et al. since the supervisor domain controls 
processes prior to and including through, run time. 
Claim 30: 

O'Brien ct al. disclose a data handling method for a computer platform using an operating 

system executing a process, as in Claim 29 above, but do not disclose, 

"supervisor code administers the method by controlling the process at run time," although 
Johnson et al. do suggest executing code in the Supervisor domain, as recited below; 

however, Yoshioka et al. does disclose, 

- "The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "supervisor code administers the method by controlling the 
process at run time," in the invention as disclosed by O'Brien et al. since the supervisor domain 
controls processes prior to and including through, run time. 
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Claim 34: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 
system executing a process, as in Claim 29 above, but do not disclose, 

- "the data management information is written to a data management memory space under 
control of the supervisor code," although Johnson et al. do suggest executing code in the 
Supervisor domain, as recited below; 

however, Yoshioka et al. does disclose, 

- "The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data management information is written to a data 
management memory space under control of the supervisor code," in the invention as disclosed 
by O'Brien et al. since the supervisor domain controls processes prior to and including through, 
run time. 
Claim 35: 

O'Brien et al. disclose a data handling method for a computer platform using an operating 

system executing a process, as in Claim 34 above, but do not disclose, 

"the supervisor code comprises state machine automatons arranged to control the writing 
of data management information to the data management memory space," although 
Johnson et al. do suggest executing code in the Supervisor domain, as recited below; 
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however, Yoshioka et al. does disclose, 

- "The simulated Supervisor domain supports read/write access to all processor 202 
registers, to all memory mapped peripherals located in off-chip memory, and to all off- 
chip memory locations in the processor address space" [column 9 lines 3-7]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the supervisor code comprises state machine automatons 
arranged to control the writing of data management information to the data management memory 
space," in the invention as disclosed by O'Brien et al. since the supervisor domain controls 
processes prior to and including through, run time. 
Claim 38: 

O'Brien ct al. disclose a data handling method for a computer platform using an operating 

system executing a process, as in Claim 29 above, but do not disclose, 

"the process instructions are analysed as blocks," although Johnson et al. do suggest 
addressable privilege levels of code in each address block, as recited below; 

- "each block defined by operations up to a terminating condition," although Johnson et al. 
do suggest bit sets indicating privilege levels, as recited below; 

however, Yoshioka et al. does disclose, 

"the privilege level of the code (and/or data) in each of a plurality of address blocks 
addressable by the processor" [column 2 lines 41-42]; 

- "The bit being set indicates that the corresponding address block has one privilege level 
and the bit being cleared indicates that the corresponding address block has the other 
privilege level" [column 2 lines 46-48]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the process instructions are analysed as blocks" and "each 
block defined by operations up to a terminating condition," in the invention as disclosed by 
O'Brien et al. since process instructions are typically handled as blocks by a processor and would 
have a condition for completion. 

Response to Arguments 

10. Applicant's arguments with respect to claims 1 & 3-41 have been considered but are moot 
in view of the new ground(s) of rejection as necessitated by the applicant's amendments. 

Conclusion 

1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at 571-272-4195. The fax phone number for 
Formal or Official faxes to Technology Center 2100 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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